Hello all Romanian Crackers,
Hello all Crackers,

..::Calculici::..

FROM ONE NEWBIE TO ANOTHER
CD Tutor Nr. 4
Program: Septerra Core V1.0
Protection: CD-Check
Level: Beginner
Tools: 	W32Dasm 8.93
	Hiew 6
	Brain
	A cool drink.
E-mail: calculici83@yahoo.com

DISCLAIMER 

This reading material is not intended to violate Copyrights 
and/or it is law, but educational purposes only. I hold no 
responsibility ( by all means and in any shape whatsoever ) 
of the mis-used of this material.

FIRST OF ALL

We make the LARGE installation of 461MB, not the COMPLETE
installation of 553MB. OK. After the install remove the CD.

STARTING

Launch the game without the CD in the drive and you will get
this message:

"Please ensure that the CD is in the drive"

OK. Remember this and open W32DASM and disassemble the file
"septerra.exe". Wait a few seconds or minutes, and click
on the String Data References(SDR). Look for the message.
Double-click on it. And you will land here:

* Referenced by a CALL at Addresses:
|:00443918   , :00444276   
|

* Possible StringData Ref from Data Obj ->"Please insure that the CD is in "
                                        ->"the drive"
                                  |
:00444290 68C8604800              push 004860C8
:00444295 E826000000              call 004442C0
:0044429A 59                      pop ecx
:0044429B C3                      ret

OK. There are two CALL's 443918 AND 444276. Let's check the
first one. Go to the "Go" menu and press goto Code Location and
enter 443918.You will land here:

:004438AA C1E104                  shl ecx, 04
:004438AD 3BC3                    cmp eax, ebx
:004438AF 898124104C00            mov dword ptr [ecx+004C1024], eax
:004438B5 0F8592000000            jne 0044394D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00443947(C)
|
:004438BB F6812C104C0001          test byte ptr [ecx+004C102C], 01
:004438C2 0F8585000000            jne 0044394D
:004438C8 E8C64E0200              call 00468793
:004438CD 833802                  cmp dword ptr [eax], 00000002
:004438D0 CC                      int 03
:004438D1 46                      inc esi
:004438D2 E8BC4E0200              call 00468793
:004438D7 83380D                  cmp dword ptr [eax], 0000000D
:004438DA CC                      int 03
:004438DB 3CE8                    cmp al, E8
:004438DD B24E                    mov dl, 4E
:004438DF 0200                    add al, byte ptr [eax]
:004438E1 8B10                    mov edx, dword ptr [eax]
:004438E3 52                      push edx
:004438E4 E8E74D0200              call 004686D0
:004438E9 83C404                  add esp, 00000004
:004438EC 50                      push eax
:004438ED E8A14E0200              call 00468793
:004438F2 8B00                    mov eax, dword ptr [eax]
:004438F4 8D4C2414                lea ecx, dword ptr [esp+14]
:004438F8 50                      push eax
:004438F9 51                      push ecx

* Possible StringData Ref from Data Obj ->"Unable to open %s"
                                  |
:004438FA 68B05E4800              push 00485EB0
:004438FF 68201F4D00              push 004D1F20
:00443904 E82F3B0200              call 00467438
:00443909 68201F4D00              push 004D1F20
:0044390E E88D090000              call 004442A0
:00443913 83C418                  add esp, 00000018
:00443916 EB05                    jmp 0044391D
:00443918 E873090000              call 00444290			<--This is the call

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00443916(U)

See the conditional JUMP at 4438B5. If we did change this jump we could bypass
the CD-Check routine. OK. There are two ways of dealing with it.

First: turn the JNE into JE. That means turning 0F85 into 0F84.
Second: turn the JNE into JMP. This means turning 0F8592000000 to E99300000090

Be sure that the highlighted line is:

:004438B5 0F8592000000            jne 0044394D

and look at the bottom of the page to see the offset.
For me it was 438B5. Remember this and launch HIEW. Open the file "septerra.exe"
press ENTER (twice) to enter the Decode Mode. Press F5 and enter 438B5.
Press F3 and change the bytes in one of the two ways you want. Personally I
recomend the Second approch. So change 0F8592000000 to E99300000090. OK.
Now run the game and what do you now. It doesn't ask for the CD.

FINAL WORDS

Hope you liked this tutorial.

GREETS

	+Dza Kraker(Regele Piratilor)		<--You showed me the way man
	Xasx					<--Thanx for publishing my tuts
	My mom					<--I will always love you
	My girlfriend				<--Oh, you are so far
	My dad					<--My dad is my tester
	My collegs				<--I made some cracks for them
	ENDer 2000				<--The site where I realese my cracks
	TNT					<--For it is a real pleasure to
						   watch this guys and to be friends with them
	tKC					<--You got me hooked on, on this
	Phrozen Crew				<--You were the best
	LaZaRuS					<--He helped me too
	Corneliu Vadim Tudor			<--Hope he wont pe president in my country
	All of you				<--The ones who try doing something with their life
	The rest				<--Hope I didn't forget no one
	Dragos					<--For the CD with Septerra Core
	

<<--Everything starts from a ZERO-->>
E-mail: calculici83@yahoo.com
Name: Calculici